Unauthorized user creating Computer accounts on AD

  • Thread starter Thread starter Richard
  • Start date Start date
R

Richard

Here's the deal: I work as a sysadmin for company where a
user showed me how he was able to create a computer
account on AD. Based on what he's told me, he's always
been able to but he doesn't know why and how and no one
else has the ability.

He's neither a member of Enterprise Admin, Domain Admin,
or Account Operators group.

He's creating it where it's going into the default
Computer Container in the root of the Active Directory and
his account was not delegated any control.

I checked his group membership and none of the groups he's
a member of are within the administrative groups named
above.

I verified that he does not have admin rights in the sense
that he could not access an administrative share on either
the network or servers.

What's going on???!!!
 
To clarify, I meant he does not have domain admin rights
when trying to access any other computers, including
servers' administrative shares.
 
This is not true. I've never seen this to be true. Plus,
this user has created more than just 10 computer objects
on the domain.
 
Windows 2000 grants the "Add workstations to domain" user right to the
Authenticated Users group by default. This means any authenticated
user can create up to 10 computer accounts in the domain. This is also
valid for Windows Server 2003.

Can be solved by:
1. Pre-Create the computer account
2. Delegating permissions to create computer accounts in an OU
3. Change the ms-DS-MachineAccountQuota attribute value using ldp or
adsiedit

Reference:

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/?id=251335

However, some customers have reported that they actually could create
more than 10 before hitting this limit, but I have not beeing able to
verify that....

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net
 
Back
Top